b'AUDIT OF NARA\'S IMPLEMENTATION \n\n         OF THE FEDERAL \n\n DESKTOP CORE CONFIGURATION \n\n\n       OIG Report No. 08-10 \n\n\n         August 26, 2008 \n\n\x0c                                                                                OIG Audit Report No. 08-10\n\n\n\nEXECUTIVE SUMMARY\n\nThe National Archives and Records Administration (NARA) Office ofInspector General\n(OIG) completed an audit ofNARA\'s implementation of the Federal Desktop Core\nConfiguration (FDCC). During the audit, we evaluated NARA\'s status of implementing\nFDCC; plans for applying FDCC across the enterprise; and reports to the Office of\nManagement and Budget (OMB) to determine whether NARA had adequately\nimplemented FDCC as required by OMB.\n\nFDCC is an OMB mandated security configuration checklist l for Microsoft Windows XP\nand Vista Operating system software. Developed by the National Institute of Standards\nand Technology (NIST), the Department of Defense (DOD), and the Department of\nHomeland Security (DHS), FDCC is a set of operating-system configurations, such as\npassword requirements and turning off unused services, designed to ensure security. In\nMarch 2007, OMB directed agencies using Windows XP and Vista to adopt these\nsecurity configurations. Agencies were required to submit their draft implementation\nplans to OMB by May 1, 2007 and adopt the standard security configurations by\nFebruary 1, 2008.\n\nOur review found that NARA missed the deadline for implementation of the OMB\nmandated FDCC settings and inaccurately reported their status to OMB. Additionally,\nNARA has not:\n   (a) Developed sufficient implementation and test plans;\n   (b) Developed plans to resolve identified deviations from FDCC; and\n   (c) Enforced FDCC password settings.\n\nThe use of a standardized security configuration checklist, such as FDCC, can reduce the\nvulnerability exposure ofIT products and be particularly helpful to small organizations\nfor securing their systems. The FDCC settings were developed to improve information\nsecurity and overall network performance while lowering qperating costs. Effective and\nwell-tested security configurations mean less time and money is spent eradicating\nmalware2 , restoring systems from backups, and reinstalling operating systems and\napplications. By not implementing these configurations, NARA is not able to achieve\nthese benefits and mitigate their cyber security risks.\n\nWe made five recommendations that when implemented will assist NARA in\nimplementing the mandated FDCC configurations.\n\n\n\n\nI A security configuration checklist is a series of documented instructions for configuring a product to a\npre-defined operational environment.\n2 Malware is software designed to infiltrate or damage a computer system without the owner\'s informed\nconsent. Malware includes computer viruses, worms, Trojan horses, spyware, and other malicious and\nunwanted software.\n\n                                               Page 1\n                            National Archives and Records Administration\n\x0c                                                                       OIG Audit Report No. 08-10\n\n\n\nBACKGROUND\n\nOn March 22,2007, OMB issued memorandum, M-07-11, Implementation ofCommonly\nAccepted Security Configurations for Windows Operating Systems, directing agencies\nwho use Windows XP and Vista to adopt the security configurations developed by NIST,\nDoD, and DRS. While not addressed specifically as "Federal Desktop Core\nConfiguration", the FDCC was originally called for in this memo to all Federal agencies\nand department heads and in a corresponding memorandum, Establishment of Windows\nXP and VISTA Virtual Machine Procedures for Adopting the Federal Desktop Core\nConfigurations, from OMB to all Federal agency and department Chief Information\nOfficers (CIOs). Agencies with these operating systems were required to submit their\ndraft implementation plans to OMB by May 1, 2007 and adopt the standard security\nconfigurations by February 1, 2008. NARA employs the Windows XP operating system\nand thus falls within this population.\n\nTo develop the FDCC settings, DoD worked with NIST and DRS to reach a consensus\nagreement on security configurations for Windows XP desktops. The Windows XP\nFDCC is based on the Air Force\'s customization of the recommendations in NIST\nSpecial Publication (SP) 800-68, Guidance for Securing Microsoft Windows XP Systems\nfor IT Professionals: A NIST Security Configuration Checklist, which was created in\nOctober 2005 to assist IT professionals in effectively securing Windows XP Professional\nSystems. With these settings, information is more secure, overall network performance is\nimproved, and overall operating costs are lowered.\n\nIn order to report compliance with FDCC, NIST developed a suite of interoperable and\nautomatable security standards know as the Security Content Automation Protocol\n(SCAP). To achieve the goals set forth in OMB Memorandum M-07-11, it is necessary\nfor agencies to have a security configuration scanning tool that uses official SCAP\ncontent. Through the use of SCAP compliant tools and official FDCC SCAP content,\nagencies can routinely monitor their system to ensure that the FDCC settings have not\nbeen altered as a result of patching, installation of new software, or human interaction.\nThe tools compare the deployed configuration against the official SCAP FDCC content\nand report on any discrepancies so corrective action can be taken.\n\nAs an integral part of the continuous monitoring of systems configured to FDCC,\nagencies must report their testing results to OMB and NIST. Using the SCAP reporting\nformat enables NIST to effectively collect and organize the results for analysis and\ntrending over time. NIST will aggregate the results from all agencies, but will not\ngenerally provide direct feedback to each individual agency concerning their results.\n\nNARA\'s Office ofInformation Services (NH) manages all matters relating to information\ntechnology programs, projects, processes, and infrastructure. NH is responsible for\nensuring that NARA\'s IT program conforms to all NARA and Federal standards,\npolicies, and guidelines for interconnectivity and interoperability, computer system\nefficiency, and computer security. Within NH, the Information Technology Services\nDivision (NHT) oversees the delivery of network and computer services across the\nenterprise and the Information Technology Security Staff (NHI) develops and maintains\n\n                                           Page 2\n                        National Archives and Records Administration\n\x0c                                                                             OIG Audit Report No. 08-10\n\n\nNARA\'s agency-wide infonnation technology security program. Members ofNHT and\nNHI are working together to implement the FDCC settings at NARA.\n\nNARA has about 4,100 Windows XP workstations located at Archives I, Archives II, and\nvarious regional offices around the country. Currently, there are 12 variants of a\nWindows XP Professional baseline image running on these workstations. NARA plans\nto create and deploy a new baseline image complaint with the FDCC settings by July 28,\n2008. With the use ofNovell ZENworks 3, NARA plans to automatically distribute and\nmanage the FDCC settings for their Windows XP workstations. To report their\ncompliance to OMB, NARA purchased ThreatGuard\'s Secutor Prime software, which is\ncapable of using NIST\'s SCAP content.\n\nOJECTIVE, SCOPE, METHODOLOGY\n\nThe objective of this audit was to detennine whether NARA had adequately implemented\nthe FDCC settings as required by OMB. Specifically, we detennined whether NARA (a)\nmet the OMB mandated deadline; (b) adequately reported their status to OMB; and (c)\ndeveloped adequate plans for implementing FDCC across the enterprise.\n\nWe examined applicable laws, regulations, NARA guidance, and other IT-related\nguidance, including (a) Federal Infonnation Security Management Act; (b) OMB\nMemorandum M-07-11, Implementation ofCommonly Accepted Security Configurations\nfor Windows Operating Systems; (c) NIST SP 800-68, Guidance for Securing Microsoft\n Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist; (d)\nNIST SP 800-70, Security Configuration Checklists Program for IT Products - Guidance\nfor Checklist Users and Developers; and (e) NARA Interim Guidance 804-2, NARANET\nPassword Requirements.\n\nTo accomplish our objective, we reviewed and analyzed: (a) NARA\'s FDCC status\nreports and implementation plans submitted to OMB; (b) deviation reports; (c) Request\nfor Change (RFC) for the deployment of current standard Group Policy/Windows\nOperating System Settings; and (d) Plan of Action and Milestones (POA&Ms). In\naddition, we interviewed the NARA CIO and NH officials responsible for implementing\nFDCC to detennine whether they were able to meet the OMB mandated deadline and\nidentify any possible constraints in the meeting the deadline.\n\nOur audit work was perfonned at Archives II in College Park, MD between April 2008\nand July 2008. We conducted this perfonnance audit in accordance with generally\naccepted government auditing standards. Those standards require that we plan and\nperfonn the audit to obtain sufficient, appropriate evidence to provide a reasonable basis\nfor our findings and conclusions based on our audit objectives. We believe that the\nevidence obtained provides a reasonable basis for our findings and conclusions based on\nour audit objectives.\n\n3Novell ZEN works uses a Policy-Driven Automation to reduce and in some cases eliminate desktop\nmanagement tasks such as software distribution, software repair, desktop configuration, workstation\nimaging, remote management, and workstation inventory throughout the lifecycle of the device.\n\n                                              Page 3\n                           National Archives and Records Administration\n\x0c                                                                               OIG Audit Report No. 08-10\n\n\nFINDINGS AND RECOMMENDATIONS\n\nFDCC Settings Not Implemented\n\nNARA missed the deadline for implementing the OMB mandated FDCC settings across\ntheir enterprise. This condition occurred because of lack of management attention,\nresources, and experience with automated tools. OMB Memorandum M-07-11,\nImplementation ofCommonly Accepted Security Configurations for Windows Operating\nSystems, required agencies to adopt the standard security configurations (FDCC) by\nFebruary 1,2008. According to an OMB official, OMB expects agencies to implement\nthe requirements of memoranda on a timely basis. By not implementing these settings,\nNARA desktops are not set to the most secure and restricted configuration settings.\n\nIn their February 6,2008 submission to OMB, NARA reported that none of its 4,1004\nWindows XP desktops were fully compliant with the FDCC. According to an NH\nofficial, NARA has no method or tool in place to determine the level of compliance for\nthe workstations currently used. However, scans conducted by an NH official in\nDecember 2007 and April 2008 oftwo existing workstations reported that they were 57%\nand 67% compliant with FDCC. In March 2008, NARA developed a standard baseline\nimageS for desktops that was reported by NH as 92% compliant with the FDCC settings.\nHowever, this image is not scheduled to be deployed to NARA desktops until July 28,\n2008, almost six months past the OMB deadline.\n\nNARA was not able to implement FDCC due to a lack of management attention,\nresources, and experience with automated tools. The FDCC Request for Change (RFC)6\nwas not submitted for approval until March 13, 2008, almost six weeks after the OMB set\ndeadline. In addition, NH officials were not assigned responsibility for implementing\nFDCC until after the OMB deadline. We were informed by the CIO that resources were\nnot available for the implementation ofFDCC prior to the deadline; however, additional\nresources were not identified or requested during this time. According to the CIO, NH\ndid not have the funding, manpower, or tools to implement FDCC. Further, NARA did\nnot have a plan or prior experience using Novell ZENworks to distribute or to manage\nWindows XP desktop settings.\n\nConsequently, NARA desktops are not set to the most secure and restricted configuration\nsettings. The FDCC settings were developed to improve information security and overall\nnetwork performance while lowering operating costs. By not implementing these\n\n\n4 In the submission to OMB, NARA incorrectly reported 4,400 workstations. The number of workstations \n\nreported should have been 4,100. \n\n5 A standard baseline image is a set of standard software, which usually includes the operating system (e.g. \n\nWindows XP), word processing, spreadsheet, presentation, and database management software (e.g. Office \n\nXP), along with an Internet browser (e.g., MS InternetExplorer or Netscape) and an e-mail package (e.g. \n\nGroupWise), that is preloaded on each desktop. \n\n6 RFCs are forms used to submit, track, and manage requests for changes to configuration items that \n\ncomprise the NARA Enterprise Architecture (EA) work products when those changes are not identified as \n\npart of the EA Program Plan. \n\n\n                                               Page 4\n                            National Archives and Records Administration\n\x0c                                                                           OIG Audit Report No. 08-10\n\n\nconfigurations, NARA is not able to achieve these benefits and mitigate their cyber\nsecurity risks.\n\nRecommendation 1\n\nThe CIO should:\n\n    (a) Define those resources required to implement FDCC and seek additional funding\n        if required.\n\n    (b) Develop a plan to automate the distribution ofFDCC settings to individual\n        desktops.\n\nManagement Comment(s)\n\nManagement concurred with recommendations and indicated that actions have been\ncompleted.\n\nOIG Response to Management Response\n\nWe disagree with part of management\'s position. While we did receive the latest\nRequest for Proposal (RFC), which included an approach to implement the FDCC\nsettings, the finding remains open. NARA has not completed the implementation of the\nFDCC. As of August 19, 2008, FDCC settings have been successfully applied to about\n76 percent ofNARA\'s desktops (3,123 of approximately 4,100). In addition, failures\nwere identified in at least 298 desktops and remain unresolved.\n\n\nInaccurate Reporting to OMB\n\nThe status report submitted to OMB on March 31, 2008 was inaccurate and did not meet\nOMB\'s reporting guidelines to demonstrate compliance with OMB M-07-11. This\ncondition occurred because NARA had no automated method or tool in place to\ndetermine the level of compliance for the workstations currently in use. By not\naccurately reporting to OMB, OMB is not aware ofNARA\'s current status and NIST\ncannot make any necessary changes to the FDCC program.\n\nOMB Memorandum M-07-11 required agencies to adopt the standard security\nconfigurations (FDCC) and subsequent NIST and OMB instructions required agencies to\nreport the details of their implementation status. Specifically, OMB and NIST required\nagencies to report computer counts and FDCC deviations7 for each operational\nenvironment/system present within the agency. Agencies were required to report on a\nsingle representative computer for each combination of environment/system role and\nFDCC operating system and then report the number ofFDCC deviations.\n\n7 For each FDCC setting, NIST assigned an identification number. Agencies were required to submit the\ntotal number of non-compliant FDCC settings and list them by their identification number.\n\n                                              Page 5\n                           National Archives and Records Administration\n\x0c                                                                      OIG Audit Report No. 08-10\n\n\n\n\nIn their March 31, 2008 report to OMB, NARA reported on a sample of three desktops\nthat contained the new baseline image, which had not been deployed enterprise wide.\nTherefore, the sample was not representative ofNARA\'s currently Centrally Managed\nGeneral Purpose Desktop Environment and the number of deviations was not\nrepresentative ofNARA\'s implementation status. While NARA reported only 18 FDCC\ndeviations, the deployed desktops used by the agency had numerous deviations.\nSpecifically, a scan of an existing desktop showed at least 119 deviations from the FDCC\nsettings.\n\nIn addition, NARA did not report on all of the operational environments/systems within\nthe agency. Subsequent to the submission, a NH official identified additional desktops\nthat were not captured in their March 2008 report to OMB. These additional desktops are\npart ofNARA\'s classified systems, which use the Windows XP operating system, but are\nnot part of the Centrally Managed General Purpose Desktop Environment.\n\nNARA was unable to report on the compliance of their workstations currently in use\nbecause of the variety of baselines installed on these workstations. Currently, there are\n12 variants of a Windows XP Professional baseline image running on these workstations.\nThese settings are not currently managed through a central method, which restricts the\nability to verify the level of compliance of all enterprise workstations. NH officials\ndecided not to expend resources in testing the compliance of each ofthese baselines and\nany variants. Instead, they reported on the baseline that was created to be in compliance\nwith FDCC. Additionally, the OMB submission did not allow for additional comments\nfor NH officials to provide clarifying statements.\n\nBy not accurately reporting to OMB, OMB is not aware ofNARA\'s current status and\nNIST cannot make any necessary changes to the FDCC program. In addition, NARA has\nno basis for requesting additional resources to implement FDCC settings.\n\nRecommendation 2\n\nWe recommend the CIO provide a disclaimer statement in their next status report to\nOMB, stating that the sample is not representative of their current environment and an\nexplanation.\n\nManagement Comment(s)\n\nManagement concurred with recommendation.\n\n\n\n\n                                          Page 6\n                       National Archives and Records Administration\n\x0c                                                                          OIG Audit Report No. 08-10\n\n\nImplementation and Test Plans Not Developed\n\nNARA did not develop sufficient implementation and test plans for applying FDCC\nsettings across the enterprise as required by OMB and recommended by NIST. This\ncondition occurred because of a lack of staffing resources and management attention.\nWithout adequate plans, NARA\'s successful implementation ofFDCC could be at risk.\n\n                                     Implementation Plans\n\nOMB Memorandum, M-07-11, required agencies to develop draft implementation plans\nfor Commonly Accepted Security Configurations (FDCC) and submit the plans to OMB\nby May 1, 2007. A subsequent OMB Memorandum to agency CIO\'s outlined the\nrequired elements for the implementation plans. According to this memo,\nimplementation plans should have described various items such as testing, implementing,\nand automating enforcement of these configurations.\n\nIn the implementation plan submitted to OMB on April 30, 2007, NARA briefly\naddressed each of the required items. However, none of the items addressed how NARA\nwould implement the FDCC for their Windows XP desktops. For example, NARA\'s\nresponse to "ensuring these configurations are incorporated into agency capital planning\nand investment control (CPIC) processes" only stated the following:\n\n    An integral component ofNARA\'s CPIC process is a review of potential investments\n    by the agency Enterprise Architecture Review Board (ARB). The ARB was\n    constituted in December 2006. Conformance to the agency approved Technology\n    Standards Profile is considered to be part ofthe technical review process within the\n    ARB.\n\nNARA\'s response did not indicate whether implementing these configurations was\nincorporated in their CPIC process. We found that the FDCC requirement had not been\nincluded in NARA\'s CPIC process, which ensures that senior management has the\ntimely, accurate information required to authorize information systems development and\nfinancial commitments. If the FDCC requirement was included in NARA\'s CPIC\nprocess, adequate plans and resources could have been developed and assigned.\nTherefore, the plans submitted to OMB were not sufficient to implement FDCC settings.\n\nIn March 2008, a month after the OMB deadline, the Information Technology Services\nDivision (NHT) recommended two approaches to bring all workstations into compliance\nwith FDCC. The first was through the use of the PC Refresh8 and the second was\nthrough the development of centrally managed security policies that could be deployed to\ncurrent workstations. However, as of May 2008, formal plans and schedules to\nimplement these two approaches have not been developed.\n\n\n\n8 During the PC Refresh, NHT will replace 25% of the current workstations within NARANet. All of the\nnew workstations will receive the 92% FDCC compliant baseline image.\n\n                                             Page 7\n                          National Archives and Records Administration\n\x0c                                                                             OIG Audit Report No. 08-10\n\n\n                                              Test Plans\n\nAccording to NIST, adequate testing is an important element in implementing new\nsecurity settings, such as FDCC. Prior to introducing any system modification in the\nproduction environment, configurations should be tested in a non-production\n              9\nenvironment to identify adverse effects on system functionality. NIST recommends\ntesting for all security controls to determine what impact they have on system security,\nfunctionality, and usability, and taking appropriate steps to address any significant issues.\nWith regards to FDCC settings, NIST stated that there are a number of settings which\nwill impact system functionality and agencies should test thoroughly before they are\ndeployed in an operational environment.\n\nWe found that Test Plans have not been developed for testing the FDCC settings at\nNARA. One contractor involved in the process warned that there will have to be some\nextensive testing with the following NARA systems: Order Fulfillment and Accounting\nSystem (OFAS), Records Management Application (RMA), and Case Management and\nReporting System (CMRS). Despite this warning, test plans have not been developed.\n\nImplementation and test plans were not developed due to a lack of staffing resources and\nlack of management attention. When asked why resources were not allocated to develop\nplans for implementing FDCC, the CIO stated, "It is difficult to keep up with all the\nOMB data calls and new requirements." Also, we were informed by NH officials that\nNARA had limited staff to test configurations and correct any identified problems.\nHowever, additional resources have not been identified or requested.\n\nThe OMB policy analyst heading the FDCC initiative was quoted as saying OMB "wants\nagencies to understand their universe and have a plan to get to FDCC compliance".\nWithout adequate plans, the implementation of FDCC may not be successful. If adequate\ntest plans are not developed, functionality or usability problems may not be identified and\ncertain settings could cause unexpected problems.\n\nAfter completion of our audit fieldwork, we were provided with test procedures for the\ninstallation of the FDCC settings on NARA workstations. We will analyze these\nprocedures and provide our opinion in a subsequent reporting document.\n\nRecommendation 3\n\nWe recommend the CIO to allocate resources to develop adequate implementation and\ntesting plans.\n\nManagement Comment(s)\n\nManagement concurred with recommendation and indicated that actions have been\ncompleted.\n\n9 Non-production environments allow developers to test new configurations prior to implementing in the\nproduction environment.\n\n                                              Page 8\n                           National Archives and Records Administration\n\x0c                                                                        OIG Audit Report No. 08-10\n\n\n\n\nOIG Response to Management Response\n\nWe disagree with part of management\'s position. While we did receive copies of the\nimplementation and test plans, NARA has not successfully implemented the FDCC\nsettings. In addition, our review of the test plans and results disclosed that the test results\nwere incomplete and did not indicate how or if testing errors were corrected.\n\n\nPlan of Action and Milestones Not Created\n\nNARA has not developed adequate plans to resolve the identified deviations from FDCC\nas required by the Federal Infonnation Security Management Act (FISMA) and OMB.\nThis condition occurred because NH officials failed to include the FDCC deviations on\ntheir Plan of Action and Milestones (POA&M) and had no definitive plans for\nimplementing most of the FDCC deviations. A similar finding was identified in OIG\nReport No. 08-05, Audit ofNARA \'s Compliance with the Federal Information Security\nManagement Actfor FY 2007. By not including these deviations in a POA&M, the CIO\nmay not have proper visibility of the deviations and cannot use the POA&M as an\neffective management tool to request and allocate resources to implement FDCC security\nsettings.\n\nFISMA requires Federal agencies to develop a process for planning, implementing,\nevaluating, and documenting remedial actions to address any deficiencies infonnation\nsecurity policies, procedures, and practices of the agency. OMB Memoranda M-02-01,\nGuidance for Preparing and Submitting Security Plans ofAction and Milestones, and M\xc2\xad\n04-25, Reporting Instructions for the Federal Information Security Management Act,\nprovide instructions on how to implement a Plan of Action and Milestones (POA&M)\nprocess and infonnation needed to report and track weaknesses identified. The purpose\nof the POA&M is to help agencies in identifying, assessing, prioritizing, and monitoring\nthe progress of corrective efforts for security weaknesses found in programs and systems.\n\nWe found that NARA had not developed adequate plans to resolve the identified\ndeviations from FDCC. Ofthe 18 deviations identified in NARA\'s proposed baseline\nimage for Windows XP desktops, only four were included in a POA&M. The 14\ndeviations not included in a POA&M consist of settings related to passwords, encryption,\nautomatic logons, and administrator account status.\n\nMost of the 14 deviations were not included in a POA&M because NARA did not have\ndefinitive plans for implementing these items by a specified date. However, NH officials\nare now considering creating a single POA&M item to review the remaining FDCC\nsetting deviations on a defined, periodic basis to evaluate what can be done to bring them\nin compliance.\n\n\n\n\n                                            Page 9\n                         National Archives and Records Administration\n\x0c                                                                         OIG Audit Report No. 08-10\n\n\nBy not including these deviations in a POA&M, the CIO may not have proper visibility\nof the deviations and cannot use the POA&M as an effective management tool to request\nand allocate resources to implement FDCC security settings.\n\n\nRecommendation 4\n\nWe recommend the CIO include the remaining FDCC deviations in a POA&M and\naddress each of these items.\n\nManagement Comment(s)\n\nManagement concurred with recommendation.\n\n\nStrong Password Requirements Not Implemented\n\nNARA has not implemented the required FDCC password settings. This condition\noccurred because NARA\'s password policy has not been updated for the use of strong\npasswords requirements. Additionally, weaknesses related to passwords, password\nmanagement, and access controls have been identified in several past OIG ReportslO.\nWithout strong password requirements, NARA is at risk of an individual gaining\nunauthorized access, which can lead to the loss of data confidentiality and integrity.\n\nFDCC follows the Password Policy Settings outlined in NIST SP 800-68, Guidance for\nSecuring Microsoft Windows XP Systemsfor IT Professionals: A NIST Security\nConfiguration Checklist, October 2005. These settings include enforcing password\nhistory, maximum password age, minimum password age, minimum password length,\nand complexity requirements. NARA\'s password requirements are outlined in NARA\nInterim Guidance 804-2, NARANET Password ReqUirements, dated December 11,2001.\nThis guidance describes the minimum length and complexity requirements for\nNARANET passwords.\n\n\n\n\n\\0 These reports include Audit of the NARA Systems Security Program, OIG Report No. 01-05; Firewall\nand Network Configuration Advisory Report, OIG Report No. 02-12; Evaluation ofthe NARA\'s Password\nControls, OIG Report No. 04-23; and Audit ofNARA\'s Network Perimeter, OIG Report No. 06-01.\n\n                                            Page 10\n                          National Archives and Records Administration\n\x0c                                                                      OIG Audit Report No. 08-10\n\n\n\n\nWhen asked about constraints in implementing these settings, NH officials stated that one\nof these settings cannot be implemented because of a technical problem with Novell. \xe2\x80\xa2\n---Redacted pursuant to FOIA Exemption b(2)---- NH Officials were not aware of any\nother technical difficulties with the remaining password           However NH officials\n      .ve the         will cause difficulties for U"~\'\'\'.\'\'-\'\'\'\'\'\'\n\n\n                                  Perceived difficulties with conforming to FDCC\nsettings do not validate nonconformance with government-wide requirements.\n\nAccess controls such as strong password requirements increase network and application\nsecurity. Passwords are NARA\'s first line of defense in protecting user email accounts\nand other NARA information assets. Without strong password requirements, NARA is at\nrisk of an individual, who is not permitted to access a system, to gain unauthorized\naccess, which can lead to the loss of data confidentiality and integrity.\n\nRecommendation 5\n\nThe CIO should\n\n   (a) Update NARA\'s password requirements to include the requirements detailed in\n       NIST SP 800-68 and FDCC settings.\n\n   (b) Implement FDCC password requirements for NARA desktops.\n\nManagement Comment(s)\n\nManagement did not concur with recommendation. Management suggested rewording\nthe recommendation to state NARA should re-evaluate its current password policy and\nconduct a risk assessment of the impact of modifying its current policy to match FDCC\nsettings.\n\nOIG Response to Management Response\n\nWe do not concur that management should re-evaluate its current password policy and\nconduct a risk assessment. Our recommendation reflects the OMB mandated FDCC\npassword requirements. According to an OMB official, OMB expects 100 percent\ncompliance and if an agency is not compliant, they should have to plan to get to full\nFDCC compliance.\n\n\n\n\n                                         Page 11\n                       National Archives and Records Administration\n\x0c                      National Archives and Records Administration\n                                                                                              8601 Adelphi Road\n                                                                             College Park, Maryland 20740,-6001\n\n\nDate:                      .\n                   AUG 1 9 2008\n\nTo: \t         Office of Inspector General (OIG)\n\nFrom: \t       Office of Information Services (NH)\n\nSubject: \t    Comments on Draft Report 08-10: Audit ofNARA\'s Implementation ofthe Federal\n              Desktop Core Configuration                    .\n\n             We thank you for the opp\'ortunity to review and comment on the subject draft report, as well\n             as for meeting with us on August 7th and making agreed-upon changes to the report. As we\n             discussed at the meeting, what follows are our comments on each ofthe recommendations and\n             the current status of our FDCC implementation. While we acknowledge the "snapshot in\n             time" for this and\xc2\xb7otherperformance audits, we do hope the DIG will note and acknowledge\n             the progress we have made since the field work was completed for this audit earlier this year.\n\n             Our Office continues to work diligently to comply with this and other OMB mandates to\n             secure all our IT systems to ensure reliability, integrity, and availability ofNARA information\n             resources. Please call me at any time to discuss our IT program for this arid any other issue.\n\n             Technical questions about the ~tatus of our FDCC implementation can be directed to\n             --j,(6)-----: or                 f,/c)-\xc2\xad\n\n\n\n\n             ~~~\n             Assistant Archivist for Information Services\n\n\n\n\n                                   NARA \'s web site is http://www.archives.gov\n\x0c.. \n\n\n\n                        COMMENTS ON OIG DRAFT REPORT 08-10: \n\n              AUDIT OF NARA\'S IMPLEMENTATION OF THE FEDERAL DESKTOP \n\n                                CORE CONFIGURATION \n\n\n        Recommendation 1 - Management Comment(s): We concur with the recommendation.\n        Both items (a) and (b) have already been completed. RFC 1601 (provided to the auditor)\n        includes the history of work that has occurred to meet both of these recommendations.\n\n        Recommendation 2 - Management Comment(s): We concur with the recommendation,\n        provided NIST or OMB allow for any explanations to be provided with future submissions\n        related to FDCC. However, the desktop environment currently is much different than what\n        was current at the\xc2\xb7end of March 2008. If the recommendation is to provide a disclaimer\n        regarding the March submission to NIST, and not what is current at the time of the next status\n        report, then this can be done provided there is the ability to provide additional explanations\n        withthe submission.\n\n       Recommendation 3 - Management Comment(s): We concur with the recommendation.\n       As stated under recommendation 1 above, implementation and test plans have already been\n       developed and FDCC settings (minus deviations) have already been pushed to desktops\n       enterprise-wide. RFC 1601 includes the history of work that has occurred to meet this\n       recommendation.\n\n       Recommendation 4 - Management Comment(s): We concur with the recommendation.\n       The remaining FDCC deviations have been individually added to the "NARANET GSS\n       Desktops" Plan of Action and Milestones (POA&M).\n\n       Recommendation 5 - Management Comment(s): The recommendation as currently worded\n       does not fit in with NARA\'s plans to address the password-related.FDCC deviations on the\n       agency\'s desktops. As such, we do not concur with this recommendation as it is currently\n       constructed. We would suggest that the recommendation be re-worded to state that NARA\n       will re-evaluate its current password policy and conduct a risk assessment of the impact of\n       modifying its current policy to match FDCC settings.\n\n       The password settings that deviate from FDCC settings have been added to the NARANET\n       GSS Desktops POAM, where they will be evaluated and tracked. Five of the current\n       deviations are related to password settings. As part of re-evaluating the current password\n       settings and possibly changing them to match the FDCC, NARA would need to implement\n       these same settings within\'\n       - - - - - - - - jp\'J/\' jy(;;.)\n\n\n\n\n                                   NARA \'s web site is http://www.archives.gov\n\x0c'